{
	"id": "ad9b7c37-428c-4d6d-96a3-643ae751aa60",
	"created_at": "2026-04-06T00:06:16.906229Z",
	"updated_at": "2026-04-10T03:36:13.63458Z",
	"deleted_at": null,
	"sha1_hash": "15fd3fa725f9b4fb0f6d9a34dae068b8c14548e4",
	"title": "Backing up and restoring snapshots on Amazon EC2 machines - TechRepublic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61457,
	"plain_text": "Backing up and restoring snapshots on Amazon EC2 machines -\r\nTechRepublic\r\nBy Nick Hardiman\r\nPublished: 2012-03-21 · Archived: 2026-04-05 18:50:01 UTC\r\nNick Hardiman describes several methods of backups of your Amazon EC2 machines. He also details the steps for\r\nrestoring snapshot backups.\r\nAs part of my operational readiness preparation, I want to make sure my Internet service is recoverable. I covered\r\nthe developers’ favourite method – application-level backup – in my last post.\r\nOS-level backup and recovery\r\nSysadmins prefer to back up chunks of the file system. Many outstanding Linux backup utilities can help you\r\nmanage a file system, the complexity of versioning, automation, backups spread across different media and rolling\r\nback to just the right files.\r\nOS level backups got all the attention for decades. Now it’s a bit old and the younger model VM snapshots are\r\ngetting all the attention. Don’t be dazzled: OS-level backup is the best solution.\r\nVM-level backup and recovery\r\nThe elephant gun approach – when you absolutely positively have to back up everything – is to copy the contents\r\nof an EC2 machine. You don’t really copy the machine itself: you copy a disk volume. Behind the scenes, the\r\nvolume is reduced to one fat image file and some meta-data.\r\nAWS make it easy to litter their storage with your backups. If an enterprise uses these volumes as its backup\r\nstrategy, storage use spirals. The enterprise ends up with thousands of files in many cloud storage areas and has\r\nquite a job keeping track of the what is being stored, how much is being stored, and how much it is costing. The\r\nenterprise’s spanner-wielding officers archive their work using a storage service like AWS S3, and bean-counting\r\nofficers monitor the financial implications using a cost monitoring service like Uptimecloud.\r\nMake a backup snapshot using the AWS console\r\nThis is a simple backup procedure for taking one snapshot and storing it in EBS. A snapshot is a copy of a disk\r\nvolume. A snapshot is not a complete copy – it is only the bits that have changed since the last snapshot.\r\nThis procedure is similar to launching a new VM.\r\nFind the name of the volume to back up.\r\n1. Open the AWS console.\r\nhttps://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/\r\nPage 1 of 3\n\n2. Navigate to the list of EC2 machines. The breadcrumbs to follow are EC2 tab \u003e INSTANCES \u003e Instances.\r\n3. Display the root device name of the machine to back up. Tick the row in the top pane, click the sda1 link in\r\nthe bottom pane and a popup box appears with the volume’s EBS ID name, along the lines of vol-12345678. Make a snapshot.\r\n4. Open the snapshot dialog box. ELASTIC BLOCK STORE | Snapshots | Create Snapshot button in the top\r\npane.\r\n5. Fill in the form. I entered the name as baseline with description apps installed, no content yet.\r\n6. Click the Create button. The AWS apps behind the scenes create the backup in a couple minutes.\r\nRestore a backup snapshot by launching a new EC2 machine\r\nOne method of restoring is to recreate the entire EC2 machine. This restore procedure is similar to my initial EC2\r\nmachine creation.\r\n1. Make an image from the snapshot. I called mine img01. EC2 tab | ELASTIC BLOCK STORE | Snapshots |\r\nbaseline row | Create Image.\r\n2. View the image. IMAGES | AMIs | Refresh.\r\n3. Make an instance from the image. INSTANCES | Instances | Launch Instance | Create a New Instance. The\r\nMy AMIs tab shows the name 123456789012/img01. That long number is my AWS account number.\r\nRestore a backup snapshot by mounting on an existing EC2 machine\r\nAnother way is to make a volume from the snapshot to mount the volume on an existing EC2 machine and copy\r\nfiles from it. I have done this when my new EC2 machine’s kernel refused to mount an old snapshot’s volume.\r\nThe first thing to do is a little research. You can’t mount a volume from one zone on a machine in another zone.\r\nCheck the EC2 machine.\r\n1. Pick an instance. EC2 tab | INSTANCES | Instances.\r\n2. Make a note of the EC2 machine’s availability zone.\r\nCreate a volume.\r\n1. Find the snapshot you want to copy files from and tick the box. ELASTIC BLOCK STORE | Snapshots\r\n2. Click the Create Volume button and fill in the fields.\r\nThe Size must be bigger than the snapshot size (free micro-instances get an 8GB volume).\r\nThe Availability Zone must be the same as the EC2 machine’s.\r\nThe Snapshot is already selected, more or less like snap12345678 – my description.\r\n3. Click the Yes, Create button. A new line appears in the Volumes table. ELASTIC BLOCK STORE |\r\nVolumes\r\nAttach the volume.\r\n1. Click the Attach Volume button and fill in the fields.\r\n2. The Volume value is already there.\r\nhttps://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/\r\nPage 2 of 3\n\n3. Pick your machine name i-12345678 (running) from the drop-down list of Instances.\r\n4. The Devices field shows the first available device name, like /dev/sdf. Does anyone bother changing this\r\nvalue?\r\n5. Click the Yes, Create button. A new device magically appears on the EC2 machine.\r\n6. Close the AWS console.\r\nCopy files.\r\n1. Open a CLI.\r\n2. Mount the new volume.\r\nsudo mount /dev/sdf /mnt/\r\n3. Copy any files you want to the old volume.\r\ncp /mnt/home/ec2-user/my-old-file.txt /home/ec2-user/\r\nClean up.\r\n1. Unmount the new volume.\r\nsudo umount /mnt/\r\n2. Close the CLI.\r\nShare Article\r\nNick Hardiman\r\nNick Hardiman builds and maintains the infrastructure required to run Internet services such as the web. Nick\r\ndeals with the lower layers of the Internet - the machines, networks, operating systems and applications. Nick's job\r\nstops there and he hands over to the designers and developers who build the top layer that customers use.\r\nSource: https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/\r\nhttps://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/"
	],
	"report_names": [
		"backing-up-and-restoring-snapshots-on-amazon-ec2-machines"
	],
	"threat_actors": [
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775792173,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/15fd3fa725f9b4fb0f6d9a34dae068b8c14548e4.pdf",
		"text": "https://archive.orkl.eu/15fd3fa725f9b4fb0f6d9a34dae068b8c14548e4.txt",
		"img": "https://archive.orkl.eu/15fd3fa725f9b4fb0f6d9a34dae068b8c14548e4.jpg"
	}
}